I have set my router from start and changed my local address and dhcp server of course, but few devices are picking up a DHCP from the default 192.168.88.1...
I would appreciate any help.
Code: Select all
# mar/29/2022 14:25:17 by RouterOS 7.1.5
# software id = RY13-W6WU
#
# model = RBD52G-5HacD2HnD
# serial number = D7160CB65217
/interface bridge
add name=bridge
/interface vlan
add interface=ether5 name=vlan10 vlan-id=10
/interface list
add name=WAN
add name=LAN
add name=MANAGE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys name=wlan-passwd \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=slovenia disabled=no frequency=auto mode=ap-bridge \
security-profile=wlan-passwd ssid=Internet2G
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=slovenia disabled=no frequency=auto mode=\
ap-bridge security-profile=wlan-passwd ssid=Internet5G wireless-protocol=\
802.11
/ip pool
add name=dhcp ranges=10.0.1.3-10.0.1.254
add name=vlan10_dhcp ranges=10.0.10.2-10.0.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=main_dhcp
add address-pool=vlan10_dhcp interface=vlan10 name=vlan10_dhcp
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan2
add bridge=bridge interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=wlan1 list=LAN
add interface=wlan2 list=LAN
add interface=vlan10 list=MANAGE
/ip address
add address=89.212.x.x/16 interface=ether1 network=89.212.0.0
add address=10.0.1.1/24 interface=bridge network=10.0.1.0
add address=10.0.10.1/24 interface=vlan10 network=10.0.10.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server alert
add disabled=no interface=wlan1
add disabled=no interface=wlan2
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=10.0.10.5 gateway=10.0.1.1 netmask=24
add address=10.0.10.0/24 dns-server=10.0.10.5 gateway=10.0.10.1
/ip dns
set allow-remote-requests=yes servers=10.0.10.5
/ip firewall address-list
add address=10.0.1.10 list=allowed_to_router
add address=10.0.1.20 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add list=ddos-attackers
add list=ddos-target
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input in-interface-list=!LAN
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=accept chain=forward in-interface=bridge out-interface=vlan10
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN \
out-interface=!bridge
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
yes log-prefix=LAN_!LAN src-address=!10.0.1.0/24
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" disabled=yes \
ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv4
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
protocol=tcp tcp-flags=syn,ack
add action=add-dst-to-address-list address-list=ddos-target \
address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="jenna HTTP" dst-port=80 \
in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=80
add action=dst-nat chain=dstnat comment="jenna HTTPS" dst-port=443 \
in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=443
add action=dst-nat chain=dstnat comment="lisa HTTP" disabled=yes dst-port=80 \
in-interface=ether1 protocol=tcp to-addresses=10.0.10.6 to-ports=80
add action=dst-nat chain=dstnat comment="lisa HTTPS" dst-port=443 \
in-interface=ether1 protocol=tcp to-addresses=10.0.10.6 to-ports=443
add action=dst-nat chain=dstnat comment="jenna Tor Relay " dst-port=9001 \
in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=9001
add action=dst-nat chain=dstnat comment="Zabbix Proxy" dst-port=10051 \
in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=10051
add action=dst-nat chain=dstnat comment="Zabbix Proxy" disabled=yes dst-port=\
10051 in-interface=ether1 protocol=udp to-addresses=10.0.10.5 to-ports=\
10051
add action=dst-nat chain=dstnat comment="WireGuard VPN UDP" dst-port=51820 \
in-interface=ether1 protocol=udp to-addresses=10.0.10.5 to-ports=51820
add action=dst-nat chain=dstnat comment="WireGuard VPN TCP" dst-port=51820 \
in-interface=ether1 protocol=tcp to-addresses=10.0.10.5 to-ports=51820
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-target \
src-address-list=ddos-attackers
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh port=2121
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=fd12:672e:6f65:8899::/64 list=allowed
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
/ipv6 firewall filter
add action=accept chain=input comment="allow established and related" \
connection-state=established,related
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" \
src-address-list=allowed
add action=drop chain=input
add action=accept chain=forward comment=established,related connection-state=\
established,related
add action=drop chain=forward comment=invalid connection-state=invalid log=\
yes log-prefix=ipv6,invalid
add action=drop chain=forward log-prefix=IPV6
/system clock
set time-zone-name=Europe/Ljubljana
/system routerboard settings
set cpu-frequency=auto
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN